Authentication

The Aurion API uses API key authentication. Include your key in the X-API-Key header with every request.

curl -H "X-API-Key: ak_live_xxxx" \
  https://apps.aurionai.net/api/v1/tickets

Each API key is assigned one or more scopes that control which endpoints it can access.

Scope	Description	Endpoints
`tickets:read`	Read tickets and ticket history	`GET /tickets`, `GET /tickets/:id`
`tickets:write`	Create and update tickets	`POST /tickets`, `PUT /tickets/:id`
`kb:read`	Read knowledge base articles	`GET /kb/articles`, `GET /kb/articles/:id`
`kb:write`	Create and update KB articles	`POST /kb/articles`, `PUT /kb/articles/:id`
`users:read`	List and view users	`GET /users`, `GET /users/:id`
`webhooks:manage`	Manage webhook subscriptions	`POST /webhooks`, `DELETE /webhooks/:id`
`calls:read`	View call recordings and logs	`GET /calls`, `GET /calls/:id`
`usage:read`	View usage and billing data	`GET /usage`
`config:read`	Read tenant configuration	`GET /configuration/*`
`config:write`	Update tenant configuration	`PUT /configuration/*`

Scopes are enforced using path-prefix matching. A key with tickets:read can access any GET endpoint under /api/v1/tickets/.

Write scopes grant access to POST, PUT, PATCH, and DELETE methods on the matching path prefix.

The following paths are never accessible via API keys regardless of scopes:

401 Unauthorized — Missing or invalid API key:

{
  "error": "unauthorized",
  "message": "Invalid or missing API key"
}

403 Forbidden — Valid key but insufficient scope:

{
  "error": "forbidden",
  "message": "API key lacks required scope: tickets:write"
}